staging: rtl8192u: Fix use after free in ieee80211_rx()

We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. Fixes: 8fc8598e ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kiliSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: rtl8192u: Fix use after free in ieee80211_rx()
We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. Fixes: 8fc8598e ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kiliSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
bcc5e2dc · Dan Carpenter · Greg Kroah-Hartman · 9dadff06 · bcc5e2dc
Commit bcc5e2dc authored Nov 23, 2022 by Dan Carpenter Committed by Greg Kroah-Hartman Dec 05, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +3 -1

No files found.
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -951,9 +951,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
 #endif

 	if (ieee->iw_mode == IW_MODE_MONITOR) {
+		unsigned int len = skb->len;
+
 		ieee80211_monitor_rx(ieee, skb, rx_stats);
 		stats->rx_packets++;
-		stats->rx_bytes += skb->len;
+		stats->rx_bytes += len;
 		return 1;
 	}